Develop a Storage Strategy with Compliance in Mind

Email this Article

Printer-Friendly

View Reader Comments

[March 2007]
Develop a Storage Strategy with Compliance in Mind
How different regulatory requirements drive storage needs
By: David Chernicoff
Feature
InstantDoc #94904
From the March 2007 edition of Windows IT Pro

SideBar Steps in Designing a Storage Compliance Strategy

IT professionals deal with dozens of regulatory and business-compliance requirements that affect storage management, yet often their companies choose storage solutions with little or no consideration for how those solutions can help meet compliance requirements. I've chosen three common regulatory-compliance areas—the Health Insurance Portability and Accountability Act (HIPAA), Securities and Exchange Commission (SEC) Rule 17a-4, and the Sarbanes-Oxley (SOX) Act—to illustrate the different compliance needs that can affect storage management. In future articles in this series, we'll delve into specific storage solutions to meet compliance needs.

The Storage Perspective
With all the compliance and regulatory issues that corporate enterprises deal with, the concerns of a storage administrator don't usually get the attention they deserve. This is because senior management considers IT from a vertical perspective. That is, management looks at IT as a discrete set of issues, where each problem and its solutions get stuck in a box, and that collection of boxes is the IT department's responsibility to handle without affecting the business workflow or user experience. This prevalent attitude among senior management has its own pitfalls, especially in the area of network storage.

What corporate management needs to accept and corporate IT needs to learn is that certain technologies such as network security and storage management cut horizontally across the enterprise. No one would argue that network security isn't important to consider across the enterprise, but the reality is that in most cases it's still treated more as a vertical responsibility: One group is responsible for perimeter security, another group is responsible for application security, and yet a third group is responsible for data security. Worse yet, each of those groups might be divided into smaller areas of responsibility, resulting in minimal coordination or cooperation between those responsible for maintaining security at the hands-on level.

This lack of coordination is especially prevalent in storage management. Everyone, from entire departments down to individual users, tends to consider the storage to which they have access as theirs. This attitude simply exacerbates the problems that IT encounters when trying to implement a comprehensive storage management strategy. Yet despite those problems, you need a strategy to address the regulatory-compliance requirements regarding data storage. You need to analyze your storage requirements in a horizontal fashion, given how storage underlies almost every corporate computing activity. Doing so will help you develop a strong storage model that can help your company meet compliance needs without sacrificing usability and accessibility.

Regulatory Standards and Storage
Consider the variety of commonplace regulatory standards, ranging from the privacy requirements of HIPAA, to the progressive archival requirements of SEC Rule 17a-4, to the compliance requirements of SOX. All impose specific explicit or implied responsibilities on corporate storage. What companies rarely consider is that the business's regulatory environment should determine the selection of storage and a storage management strategy. Rather than trying to make an existing storage solution solve problems for which it wasn't designed, it's far more practical to factor in compliance issues when you're making decisions about new or expanded storage environments.

Using our three regulatory examples (HIPAA, Rule 17a-4, and SOX), let's look at the most common of storage concerns—backup and recovery. In all three compliance areas, it's essential to have reliable backups and the ability to recover accidentally deleted information, but the priorities and specific details of this requirement differ with each set of regulations.

HIPAA and Storage
With the case of HIPAA, it's obviously important not to lose patient information, but the key to the regulatory coverage is protecting the privacy of that information. This means that you need to maintain careful control over who can actually read the data through the backup and restore process, not to mention who can request that IT provide data restoration. Not all data protection schemes will provide for this level of data-access security, yet in a HIPAA-mandated environment, data-access security should be one of the primary considerations in the implementation of any data protection, backup, and recovery solution.

You'll need to translate the various HIPAA requirements for administrative, physical, and technical safeguards to actions related to storage, ranging from what type of written policies and procedures you keep regarding the use of network storage to the possibilities of hardware-based data encryption done at the storage-server level. HIPAA requirements affect storage policies throughout the equipment life-cycle, from the point of introduction to the network to how equipment must be disposed of, with the goal of protecting the privacy of the potential data stored on that hardware.

In regard to storage management, a business's primary concern under HIPAA is protecting stored data from unauthorized access. Everything else is secondary, because if the primary requirement is abrogated, the potential exists for serious legal action against the business. This mandate for protection of stored data places the added burden on administrators of making sure to clean up the tracks a file leaves within the computing environment. Temporary files, copies of files on client computers, retired backup tapes, or any other location where data might once have resided must be sanitized. That is, not only must you delete all files, but information such as all references to files, all random pieces of data on disk, and ACLs. Although data protection from unauthorized access is always on the mind of the storage administrator, HIPAA's regulatory requirements complicate storage practices immensely. Even a file deletion is no longer simple, and storage policies and procedures must reflect this reality.

Simply put, HIPAA requirements change the standard corporate storage management mindset and affect all network-attached computing activities. Given the nature of the modern medical environment, this means that storage management policies and practices apply horizontally across a broad variety of vertical applications.

Prev. page [1] 2 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

ADS BY GOOGLE SPONSORED LINKS

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

Evaluating Your Database Infrastructure: The wind of change is in the air for your corporate databases. SQL Server 2008 and other new technologies can mean it is possible to deploy more powerful and effective databases.

True High Availability for SQL Servers: SQL Server DBA’s must ensure that they have some form of protection in place. This seminar gives useful tips on HA and resources that are available for your disaster recovery planning.

Virtualization Congress Oct. 14-16: Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.

FEATURED LINKS

Coming This Fall –SharePoint Live Event Series: Join SharePoint experts Wendy Henry and Michael Noel for best practices regarding infrastructure, design, redundancy, site administration, and ECM. Early Bird Price of $99

Find a new job on the all new IT Job Hound!: Search jobs, post your resume, and set up job e-mail alerts!

Master SharePoint with 3 eLearning Seminars!: Learn how to customize field types, create scheduled services, and go further with the Content Query Web Part with MVP Andrew Connell. Register today!

Virtualization for Mission-Critical BI with SQL Server: Join this Aug. 20th web seminar to learn a different approach to virtualization for BI-based application infrastructure. Ask questions of live experts!

Windows IT Pro Is Your Definitive Source for BI Tools: Our tools are BI-lateral (relating to both the front and back ends of BI). Build the best platforms and reports with help from SQL Server Magazine. Master data-delivery with solutions in Windows IT Pro. Choose the resource that's right for you.

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technical Resources Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

Search

Related Whitepapers

Related Events

Related eBooks

Related Essential Guides

Related Resources

SQL Job Openings

ADS BY GOOGLE SPONSORED LINKS

FEATURED LINKS